1 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison- Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification, Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010
Functional Program Verification. CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification , Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
11111
Functional Program Verification
CS 4311
A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999.Y. Cheon and M. Vela, A Tutorial on Functional Program Verification,
Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010
222
Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification
Derive proof obligations for an if statement without an else part.
// [f]if (B) S
2727
Exercise Write an intended function for the following code and
prove the correctness of the code with respect to the intended function
if (n > maxSize) { n = maxSize;
} sum = sum + a; avg = sum / n;
28
Verification of
Iteration Statement No known way of calculating code function, so proof by induction
// [f] while (B) S
Proof obligations B doesn’t hold, identity function is correct with respect to f (B I f)⊑ If B holds, S followed by f is correct with respect to f (B S;f f)⊑ Termination for total correctness
Loop variant: expression with value increased/decreased on iterations
// [f] if (B) { S while (B) S }
// [f] if (B) { S [f] }
Assuming f is correct
29
Example
Proof obligations Termination: loop variant, a.length - i Basis: (i < a.length) I f1⊑ Induction: i < a.length f2; f1 f1 and refinement of f2⊑
Proof of basisf1 ≡ [sum, i := sum + j=i
a.length-1a[j], anything]
≡ [sum, i := sum + 0, anything] (because i >= a.length)
≡ [sum, i := sum, anything]
⊒ [sum, i := sum, i] = I
// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]
sum += a[i]; i++; }
30
Example
Proof induction step
i < a.length f2; f1 f1⊑
f2; f1 ≡ [sum, i := sum + a[i], i + 1];
[sum, i := sum + j=ia.length-1a[j], anything]
≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything]
≡ [sum, i := sum + j=ia.length-1a[j], anything]
≡ f1
// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]
sum += a[i]; i++; }
3131
Exercise Prove the termination of the following loop.
while (low <= high) {
int mid = (low + high) / 2;
if (a[mid] < x)
low = mid + 1;
else if (a[mid] > x)
high = mid - 1;
else
high = low - 1;
}
32
Initialized Loops
Loop seldom used in isolation Preceded by initialization Together compute something useful Loop’s function more general